On 4 May 2022, the Romanian DPA announced it sanctioned a non-bank financial institution with a EUR 4,000 fine for audio-video monitoring of its employees in breach of Articles 5 and 6 of the GDPR.
The investigation was launched following the receipt of an affected data subject’s complaint denouncing audio-video monitoring systems being installed in employees’ offices in violation of the applicable data protection requirements.
During the investigation, the Romanian DPA found that the said controller had not proven that:
- the purpose (i.e., ensuring the protection of persons, property, and values of the employer and employees) of the audio-video monitoring had been justified;
- other less intrusive means had been used to achieve the claimed purpose and had proven ineffective prior to installing the audio-video monitoring systems at the workplace in 2020;
- compliance had been ensured with the principles of lawfulness, fairness and transparency, purpose limitation, and data minimization under the GDPR, as well as with the applicable specific requirements under the Romanian law implementing the GDPR.
The press release is available here (only in Romanian).